Has anyone ever seen this VPN IPSEC error?

hi,

i dont known anything about your topology but i send a link from cisco.

If your replay window size has not been set to a number that is high enough for the number of packets received, you will receive a system message such as that.

Hello Evolution,

May 24 14:52:26.622 UTC: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=49, sequence number=263777 the message is telling you that the packet has arrived after the anti replay timer has expired. The Anti Replay has a major significance in crypto world. Please read more about it on google if you are interested. You can also read the IPSEC charter on the ietf website to know the significance

This msg can come when there is a delay in the network path and the packets are fragmented. Because of this delay the anti replay timer of the queue which holds all the fragments together has expired and it will discard the whole queue. Normally this msg is not alarming however, if you are receiving alot of it then you must check the delay and RTT in your network path. Sometimes playing with MTU values and ICMP type 3 code 4 (packet too big need fragmentation) can also help. If you enable debug ICMP and if you see ICMP type 3 code 4 you will know you have MTU problem in the network.

I hope this info will be of some use to you.

-Vikas

Only if you know your network and ISP is your friend you should be doing this. Otherwise still there is no way you can set the default and modify the values for other tunnels. Packet size of 64 is quite a size for most of the networks.

The experimental version of this code is running since 12.3.8T and they introduced it in 12.3.14T again a T line of code.

-Vikas